If a device does not require an authorization, then, by default, all users can use the device. If an authorization is required, then only authorized users can use the device.
To deny all access to an allocatable device, see Example 52, Preventing Remote Allocation of the Audio Device. To create and use a new authorization, see Example 54, Creating and Assigning Trusted Path and Non-Trusted Path Device Authorizations.
Before You Begin
You must be in the Security Administrator role in the global zone.
Help files are in HTML format. The naming convention is AuthName.html, as in DeviceAllocateCD.html.
# auths add -t "Authorization description" -h /full/path/to/helpfile.html authorization-name
# profiles rights-profile profiles:rights-profile > add auths="authorization-name"...
# usermod -P "rights-profile" username # rolemod -P "rights-profile" rolename
Add the new authorizations to the list of required authorizations in the Device Manager. For the procedure, see How to Add Site-Specific Authorizations to a Device in Trusted Extensions.
In this example, a security administrator for NewCo needs to construct fine-grained device authorizations for the company.
First, the administrator creates the following help files:
Newco.html NewcoDevAllocateCDVD.html NewcoDevAllocateUSB.html
Next, the administrator creates a template help file from which the other help files are copied and modified.
<HTML> -- Copyright 2012 Newco. All rights reserved. -- NewcoDevAllocateCDVD.html --> <HEAD> <TITLE>Newco Allocate CD or DVD Authorization</TITLE> </HEAD> <BODY> The com.newco.dev.allocate.cdvd authorization enables you to allocate the CD drive on your system for your exclusive use. <p> The use of this authorization by a user other than the authorized account is a security violation. <p> </BODY> </HTML>
After creating the help files, the administrator uses the auths command to create each device authorization. Because the authorizations are used throughout the company, the administrator places the authorizations in the LDAP repository. The command includes the pathname to the help files.
The administrator creates two device authorizations and a Newco authorization header.
One authorization authorizes the user to allocate a CD-ROM or DVD drive.
# auths add -S ldap -t "Allocate CD or DVD" \ -h /docs/helps/NewcoDevAllocateCDVD.html com.newco.dev.allocate.cdvd
One authorization authorizes the user to allocate a USB device.
# auths add -S ldap -t "Allocate USB" \ -h /docs/helps/NewcoDevAllocateUSB.html com.newco.dev.allocate.usb
The Newco authorization header identifies all Newco authorizations.
# auths add -S ldap -t "Newco Auth Header" \ -h /docs/helps/Newco.html com.newco
By default, the Allocate Devices authorization enables allocation from the Trusted Path and from outside the Trusted Path.
In the following example, site security policy requires restricting remote CD-ROM and DVD allocation. The security administrator creates the com.newco.dev.allocate.cdvd.local authorization. This authorization is for CD-ROM and DVD drives that are allocated with the Trusted Path. The com.newco.dev.allocate.cdvd.remote authorization is for those few users who are allowed to allocate a CD-ROM or DVD drive outside the Trusted Path.
The security administrator creates the help files, adds the device authorizations to the auth_attr database, adds the authorizations to the devices, and then places the authorizations in rights profiles. The root role assigns the profiles to users who are allowed to allocate devices.
The following commands add the device authorizations to the auth_attr database:
# auths add -S ldap -t "Allocate Local DVD or CD" \ -h /docs/helps/NewcoDevAllocateCDVDLocal.html \ com.newco.dev.allocate.cdvd.local # auths add -S ldap -t "Allocate Remote DVD or CD" \ -h /docs/helps/NewcoDevAllocateCDVDRemote.html \ com.newco.dev.allocate.cdvd.remote
The following shows the Device Manager assignment:
Local allocation of the CD-ROM drive is protected by the Trusted Path.
Device Name: cdrom_0 For Allocations From: Trusted Path Allocatable By: Authorized Users Authorizations: com.newco.dev.allocate.cdvd.local
Remote allocation is not protected by the Trusted Path, therefore, remote users must be trustworthy. In the final step, the administrator will authorize remote allocation for two roles only.
Device Name: cdrom_0 For Allocations From: Non-Trusted Path Allocatable By: Authorized Users Authorizations: com.newco.dev.allocate.cdvd.remote
The following commands create the Newco rights profiles for these authorizations and add the authorizations to the profiles:
# profiles -S ldap "Remote Allocator" profiles:Remote Allocator > set desc="Allocate Remote CDs and DVDs" profiles:Remote Allocator > set help="/docs/helps/NewcoDevRemoteCDVD.html" profiles:Remote Allocator > add auths="com.newco.dev.allocate.cdvd.remote" profiles:Remote Allocator > end profiles:Remote Allocator > exit
# profiles -S ldap "Local Only Allocator" profiles:Local Only Allocator > set desc="Allocate Local CDs and DVDs" profiles:Local Only Allocator > set help="/docs/helps/NewcoDevLocalCDVD.html" profiles:Local Only Allocator > add auths="com.newco.dev.allocate.cdvd.local" profiles:Local Only Allocator > end profiles:Local Only Allocator > exit
The following commands assign the rights profiles to authorized users. The root role assigns the profiles. At this site, only roles are authorized to remotely allocate peripheral devices.
# usermod -P "Local Only Allocator" jdoe # usermod -P "Local Only Allocator" kdoe
# rolemod -P "Remote Allocator" secadmin # rolemod -P "Remote Allocator" sysadmin